Behavior Patterns Before and After infection with a R!e-lnfector virus 

Pre Infection Qpeiating Sy item Functions Called 



Create New Window 
Load retoutces 

Wait foi user input 

Load Document 
Wait fof Usei input 
Check file size 
Write to Document 
Close File 
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Post Infection 



Operating System Functions Called 



Modify iNT21 address 
INT21 points at CS 
Search for first EXE 
Move to End-of-file 
Check size of file 
if: Laraer than 1 0K 

Write to File 
Search for next EXE 



User Input 



0010110010101110 1001 0101 0101 0011 00101101 0101 0101 0101 1101 01001011 



1 
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Storage 



FileHook 
VxD 



DataBase 
Executables 



Compare 



DOS / Windows 
Applications 



V 



Known 




File Format 
InterFace 



VBA 

Executable 
Loader 



Virtual PC 





Scanner 


) 


Window 



Dynamic 
Memory 
Array 
400Kb 



Behaviour 

Signature 
Slose Update Comp 

I i I 



Analysis 



g^WarningJiv 



2 



= T1 



Header 
and FAT 



Directory 



Stream ni 



Directory 



Stream ff3 



Stream 92 



Stream 43 



FAT 



■1 



9 10 11 12 
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'1 indicates end 
o1 stream 



AV engine to File Forait 




FSSIO.DLL NEPELE.DLL 
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V80X86 

MEMORY MAPS FOR BINARY COM AND EXE FILES 



Vectors 



BIOS data 



Environment 
String table 



DOS Data 



MCB 



PSP 



Executable 
Program 
Image 
COM 



256kB 



DISPLAY 
ADAPTER 

128kB 
Int. Services 



ES-1 tObftes 
CS offset 0 DS 



DS 



IP-100 CS = OS*10h 

Offset 0 

After Loading CS:IP 
is moved: At entrj 
point 



Vectors 



BIOS data 



Environment 
String table 



DOS Data 



MCB 



PSP 



Executable 

Program 

Image 

EXE 



25GkB 



DISPLAY 
ADAPTER 

128kB 
Int. Services 
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EntryPoint, CS:IP 



Operating 

System 

Functions 

Program 
Loader 

Interrupt 
Sen/ices 
Simulation 



Modified 
Interrupt vector 
caller 
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Behavior Flags 



12 byte 
Prefetch 



Instruction 
Decoder 



Virtual 
32 bit CPU 
v80x86 



Data Fetch 



8/16/32 bit registers 



Behavior Pattern 



CO Q. 
W Q. 

■o E 

< a: 



Interrupt 
Vectors 



DOS FiAM 



Program 
Memory 

256Kb 
Program 
Data Seg. 
Extra Seg. 
Stack Seg. 



VGA 
128K 



Int. Services 
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